Pages

Monday, January 6, 2014

NTP reflection DDoS attacks

At the end of 2013 there were several NTP reflection DDoS attacks. Let's see what are these, and how they work. A reflection DDoS attack in general looks like the following:

1. Attacker spoofs victim IP address, and generates lots of small request to a service (in this case NTP, but there are similar methods for DNS)

2. The server receives the request, and will generate a much larger answer (because of the request type)

This allows the attacker to have low bandwidth only, and can easily overload a much larger pipe, because of a much larger answer. If we add that multiple attackers can generate this traffic (e.g.: botnet) then we have a DDoS. How it looks in the NTP case:

1. Attacker spoofs the IP and sends a MON_GETLIST_1 command to the server. (In the screenshots below I just query my own NTP server to show the packets, and don't do any spoofing)

2. The server responds with the last 600(!!!) IP address who have connected to the server.

1. Update NTP server version to 4.2.7.p26 or later
2. Add "disable monitor" to the /etc/ntp.conf fileOnce it's done, we will see the following responses:root@kali:~# nmap -sU -p 123 --script=ntp-monlist.nse 127.0.0.1